Should third parties pen-test cloud services?
Organisations should demand more objective analysis of services provided, providers say
Cloud services should be subjected to third-party penetration testing to ensure an adequate level of security for customers, according to an integrator and a backup-as-a-service provider.
Cyber security services provider Security Alliance and cloud backup and disaster recovery provider Databarracks have joined forces in the call to action, arguing that UK businesses are putting themselves at risk by not demanding an objective analysis of the cloud services they will rely on.
Peter Groucutt, managing director of Databarracks, said attacks aimed at cloud security now rival on-premise, and the risk of attack is continuing to rise.
"Reputable cloud providers will have no problem with [customers] bringing in a third party to objectively test their environment. Take advantage of the opportunity. And the more exhaustive the tests, the better," Groucutt said.
He added that organisations should test cloud services providers as thoroughly as they would their own offerings. He said Databarracks has spoken to about 400 IT "decision makers" and about a third had confirmed a cyber threat experience in the past 12 months, yet had not altered their security policies.
Cloud services buyers should always ask to see supplier certifications around security, Groucutt indicated.
David Morgan, services director at Security Alliance, said penetration testing is the next step and can be crucial when selecting cloud services.
"Yes, you should always ask to see proof of the testing your supplier has carried out, but you shouldn't be afraid to demand testing of your own. By bringing in a third party to test a provider's environment, you'll have the assurance that your data is just as safe off site as it would be in your own server room," Morgan said.
He indicated, however, that expert advice was often needed to select the right type of testing, whether automated vulnerability scanning, manual testing, or social engineering.
"It can be difficult to know which methods are suitable to the services you're considering, and at what point you should carry them out," Morgan affirmed.
Human error too always required consideration.
"Human error is still the biggest cause of data loss in the organisations we work with. It's vital it isn't overlooked during testing. You'd be surprised how much sensitive information we can gather from the most basic social engineering exercises. Identifying weaknesses and regulating human policies is a crucial part of penetration testing," he said.
"Businesses need to be more proactive in testing."